By Erika Morphy E-Commerce Times
12/23/08 4:00 AM PT
Privacy statements are all over the Web, it seems, and they're pretty much universally ignored. That's because the legal tracts that most companies display are the epitome of user-unfriendliness. A few mavericks are trying a different approach, though, with statements that are clear, concise -- and sometimes even entertaining.
Lorrie Thomas does not "sell, share or whore out" the personal information of any visitor who comes to her
Lorrie Thomas Web Marketing site -- and she backs up this no-share promise in her
privacy statement.
Indeed, the entire document is a straightforward description of what the company will and will not do with personal data. For example, it "collects the domain name (where possible) of visitors to our website, and user-specific information on what pages consumers access or visit. The information we collect is used to improve the content and layout of our website."
Cookies? None.
Ad Servers? It does not maintain any such relationships.
Furthermore, any contact from the company will be only about the specific information the visitor requested.
The firm's policy over sharing its information -- and with whom -- was the greatest concern among clients, Thomas told CRM Buyer, "so I decided to be as blunt as possible to get my message across."
For anyone who has waded through the typically mind-numbing legalese of the privacy statements that many companies put out, Thomas' version is a breath of fresh air.
Aimed at informing consumers of precisely what will be done with their personal information -- and thus reassuring them -- most privacy documents are weighed down by details. They end up being the very antithesis of consumer-friendly outreach.
Slow-Moving Trend
That is beginning to change. "Everyone understands that these statements are very difficult for the consumer to read and understand," said Lisa Sotto, partner and head of privacy and information management practice at
Hunton & Williams.
With the last few years, there has been a trend among companies to make these notices more comprehensible to the average consumer. Sotto dates this push back to when the Federal Trade Commission offered up guidelines for changing the format of the privacy notices required under the
Gramm-Leach-Bliley Act (GLB Act).
In general, the "FTC is very active in this arena," she said, "and its focus includes all companies -- not just the big ones."
A privacy protection division the FTC formed about two years ago is further evidence of the agency's seriousness, she noted.
Privacy statements that invoke the FTC's ire include "notices that don't provide sufficient information about collection and disclosure practices, or security practices, or notices that are in legalese," she said. "It is also critical that companies provide adequate information, and the language is written so that it can be understood by the average reader," she said.
Ironically, there are few laws that actually require businesses to offer their customers a privacy notice. Once a company has published one, however, the FTC's mission is to see that it's honored. Laws on the books that do mandate a privacy notice include the GLB Act (for financial companies),
HIPAA (for health providers) and a California law that de facto covers everyone else, as it applies to any company that does business in the state.
Despite this patchwork policy framework, best practices for privacy notices are beginning to gain traction, Sotto said.
One, for instance, calls for the company to pull into a shorter document key provisions and terms, making it easier for consumers to compare privacy notices from company to company.
Another best practice is defining of terms in easy-to-understand language, noted Bart Lazar, a partner with
Seyfarth Shaw. That, plus its easy-to-read format is why he likes
American Express' privacy notice, he told the E-Commerce Times.
"It is navigable, and it breaks things up into nice chunks and then defines its terms," Lazar said.
The Entertainment Factor
Unfortunately, there is no best practice that calls for a company to entertain its clients via its privacy notice, a la Thomas and, to cite another example, the
Kramer Law Firm, which advises readers that it is "not sophisticated enough to automatically collect your personally identifiable information, such as your name, address or email address, hopes, wishes, disappointments, etc... .[but] in those instances when we do collect personally identifiable information ...We'll tell you when we are collecting personally identifiable information about you by asking for it. If we ask for your name, address, phone number, email address, shoe size, etc, you can be sure that that's within the category of "personally identifiable information."
As for security, Kramer's Web site "maintains virtually no more than the most basic safeguards -- i.e., password protected databases and the like -- to ensure the security, integrity and privacy of personally identifiable information submitted to our site.
"If you're uncomfortable with our honesty here, we strongly encourage you to use false data when responding to our requests for your personal information. That way, if that personal information is ever disclosed, you'll rest soundly knowing that nothing of real value has been lost," the statement reads.
The Straightforward Route
Indeed, it is still rare -- despite the examples set by heavy hitters such as Microsoft (Nasdaq: MSFT) or Kraft -- to find a privacy notice that merely easy to read.
Many companies do not set out to write complex policies. Oftentimes, they are just woefully misguided about what is required, Joseph E. Campana, author of
Privacy MakeOver: The Essential Guide to Best Practices, told CRM Buyer. "I saw one recently that said it was providing a privacy notice because the
Freedom of Information Act required companies to do so. When I asked the company where it got that, someone told me that the Web master included that language."
Campana points to his
privacy notice as a guide. It includes sections on the information the site collects; how that information is used; whether it is disclosed to others (no, it is not); its security policy and its opt-out provision.
Basically, there are a handful of questions that a good privacy notice will answer, Hunton's Sotto agreed -- and without the use of legalese:
what information is collected;
how it is used;
to whom it is disclosed;
what security is provided;
how visitors are notified of changes to the policy; and
contact information for the company.
Companies get bonus points if they provide users with a way to change information they have already turned over.
I wanted to offer another excellent option to help companies write an accurate and readable ...
Next Article in Trends
Go West (or South, East or North), E-Tailers! December 20, 2008
The weak dollar offers online retailers plenty of challenges, but it also presents an opportunity to go after customers outside the United States. Resources are available, both from the government and the private sector, to help businesses go global.
Related Stories
Yahoo Pledges to Forget You Sooner December 17, 2008
Yahoo will now purge personally identifiable user data after 90 days, undercutting the retention policies of its rivals Microsoft and Yahoo. Though privacy advocates generally call the decision a step in the right direction, most users will notice little change in the usability of Yahoo as the result of the privacy move.
Facebook Aims to be Web's Universal ID December 01, 2008
With the expansion of Facebook Connect, members will have to ability to use their profiles on the social networking site to log onto more third-party sites around the Web rather than setting up myriad accounts for as many online destinations. The program ups the convenience factor and makes Facebook a more centralized hub for Web surfing, but privacy remains a major concern.
Privacy Crusaders Launch Class Action Against NebuAd November 14, 2008
A controversial technology that tracks Web-users' surfing behavior is at the heart of a lawsuit brought against NebuAd and a group of Internet service providers that use the system. The plaintiffs, who are seeking class-action status, claim NebuAd's deep packet inspection technology violates consumers' privacy rights.
Related News Alerts
More by Erika Morphy
Roku Channel Store Hangs Out Shingle November 23, 2009
Roku's new channel store is based on a "one screen in the cloud" business model, said Michael Gartenberg, vice president of strategy and analysis with Interpret. "Essentially, what they are doing is taking the TV set -- whether it is a standard appliance or a high-def monster -- and enhancing it with content the consumer wants to see."
Ballmer Gives Shareholders - and Dell - Cause for Optimism November 20, 2009
Microsoft CEO Steve Ballmer was all smiles at the company's shareholders meeting, as he touted the early success of Windows 7. Ballmer's cheer may have been contagious; after posting a massive earnings decline for the third quarter, Dell needed some good news to latch onto, and the prospect of broad enterprise adoption of Windows 7 could spur PC sales.
AA.com Sucks the Fun Out of Trip-Planning November 20, 2009
Using AA.com to book a flight was a painful experience. Densely packed, disorganized information was displayed in an unattractive format. On the plus side, it did seem as though the deals American Airlines advertised were real and not mere bait-and-switch lures. For anyone who wants a travel-planning Web site to inject a little pleasure into the experience, though, I say look elsewhere.
Headline Feeds
Talkback: 
